Four more breaches reported by Baylor Health affiliates (updated)

[Update: The Irving incident affected 2,308 and the McKinney incident affected 1,253. Baylor Health declined to discuss their internal security policies, so we do not know if the doctors were violating any policy by having unencrypted PHI in their email accounts or if Baylor Health permits this.]

Original article:

After posting the two phishing reports from Baylor Health locations last night, I decided to explore Baylor’s site to see if there were any other reports that might not have shown up on HHS’s public-facing breach tool. I found that there were two other facilities affected by the phishing scam, but I also uncovered two other breaches of note.

First, with respect to the phishing scheme previously described in other posts, Baylor Medical Center at Irving  notified an unspecified number of their patients about the phishing incident, as did Baylor Medical Center at McKinney.  Their website notices do not indicate how many patients at each facility were notified.

If doctors at four facilities fell for the phishing attempt, it suggests that the phishing was done very well, but it is concerning if Baylor Health permits doctors to store unencrypted patient PHI in their email accounts. I have reached out to Baylor Health to inquire about their policies, and will update this post when I get a response.

In addition to the phishing incidents, I also found this notice on Baylor All Saints Medical Center at Fort Worth (Baylor All Saints)‘s site about the theft and possible misuse of patient data:

Notice to Patients Regarding Potential Theft of Obstetrical Patient Information

Baylor All Saints Medical Center at Fort Worth (Baylor All Saints) and OBHG Texas Holdings, P.A. (OTH) are committed to protecting the security and confidentiality of our patients’ information. Regrettably, this notice is about an incident involving that information.

Baylor All Saints and OTH partner to provide obstetrical care to patients at Baylor All Saints. On February 7, 2014, Fort Worth Police Department informed us that an employee of OTH who processes physicians’ billing at Baylor All Saints may have taken and sold patient information from June 20, 2013 to January 23, 2014. OTH immediately terminated the employee and both parties began a thorough investigation to determine what information may have been taken. As part of her assigned job duties, the employee had access to portions of patients’ medical records at Baylor All Saints, which may have included patient names, dates of birth, social security numbers, addresses, phone numbers, health insurance information and clinical information. We have been unable to determine whether any patient information was misused. However, we continue to work with Fort Worth Police Department in their investigation.

This incident did not affect all Baylor All Saints or OTH patients. It only affected certain obstetrical care patients treated from June 20, 2013 to January 23, 2014.

In an abundance of caution, we began sending letters to affected patients on April 7, 2014 and have established a dedicated call center to assist patients with any questions.

If you believe you are affected, but have not received a letter by April 28, 2014, please call 1.877.803.7676, Monday through Friday between 8 a.m. and 8 p.m. Central Time.

We deeply regret any inconvenience this may cause our patients.To prevent this from happening in the future, OTH immediately terminated the employee and both parties terminated any access she had to Baylor All Saints information. In addition, both parties are strengthening safeguards for access to patients’ Social Security numbers and are also re-enforcing education with all staff regarding the importance of protecting patient information.

Frankly, I’m not sure what good re-enforcing education regarding the importance of protecting patient information will do if someone’s a bad actor. Education is helpful to those who intend to comply or are willing to comply, and less useful for those who don’t give a damn about patient privacy and are prepared to steal information for fraudulent purposes.

In any event, having learned last night that HealthTexas Provider Network is part of Baylor Health, I recalled another recent entry on HHS’s breach tool where I had not found any details. On January 10, I had noted that HealthTexas Provider Network – Cardiovascular Consultants of North Texas had reported to HHS that 2,462 patients were affected by a breach that occurred between March 16, 2012 and May 11, 2012 involving “Unauthorized Access/Disclosure,Electronic Medical Record.”

Using my super-duper Googling skills, I was able to locate a cached copy of their substitute notice:

Notice: Patient Information Potentially Compromised

HealthTexas Provider Network (“HealthTexas”), an affiliate of Baylor Health Care System (“BHCS”), is posting this notice regarding certain patients’ health information at Cardiovascular Consultants of North Texas (“CCNT”), a part of HealthTexas Provider Network in Dallas, Texas.

On May 5, 2012, HealthTexas was made aware that a former Information Services (IS) employee of BHCS had accessed the CCNT computer system, which contains patient health information, to perform a function that generated patient appointment reminder calls because he had not transitioned that duty to anyone else before he resigned. The former employee performed this activity routinely for HealthTexas when he was employed by BHCS, but continued to perform this function even after his employment ended from March 17, 2012 to May 11,2012. HealthTexas initiated the process to terminate the individual’s access after learning of the continued access. All patients whom HealthTexas has identified as being potentially affected are being notified via a personal letter. At this time, we have no reason to believe that this information has been further used or disclosed; however, out of an abundance of caution, we recommend that patients potentially affected by this incident review their insurance explanation of benefit statements (“EOBs”) for any unfamiliar activity. As a result of this investigation, the former employee’s access to the CCNT computer system was terminated, and procedures were enhanced to remove such access more timely when employees leave their position. If you have questions regarding this incident, please call toll free at 1-800-336-7717, between the hours of 9:00am and 5:00 pm, Monday through Friday.

While it’s likely that the former employee was just trying to be helpful or conscientious (and do we have a category for “random acts of kindness breaches?), it’s clear that his continued access to the system for almost two months post-termination was improper and a serious security risk. Access needs to be terminated immediately to prevent potentially disgruntled former employees from doing harm to the system or patient records.

About the author: Dissent